[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code

To: <jeff.williams@xxxxxxxxx>
Subject: [Full-disclosure] Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code
From: Stephen de Vries <stephen@xxxxxxxxxxxx>
Date: Mon, 27 Mar 2006 20:50:10 +0700


On 27 Mar 2006, at 11:02, Jeff Williams wrote:

I am not a Java expert, but I think that the Java Verifier is NOTused on
Apps that >are executed with the Security Manager disabled (which Ibelieveis the default >setting) or are loaded from a local disk (see "...appletsloaded via the file system >are not passed through the byte codeverifier"
in http://java.sun.com/sfaq/)
I believe that as of Java 1.2, all Java code except the corelibraries must
go through the verifier, unless it is specifically disabled (java
-noverify).

I had the same intuition about the verifier, but have just testedthis and it is not the case. It seems that the -noverify is thedefault setting! If you want to verify classes loaded from the localfilesystem, then you need to explicitly add -verify to the cmd line.I tested this by compiling 2 classes where one accesses a publicmember of the other. Then recompiled the other and changed themethod access to private. Tested on:

Jdk 1.4.2 Mac OS X
Jdk 1.5.0 Mac OS X
Jdk 1.5.0 Win XP

all behave the same.

[~/data/dev/applettest/src]java -cp . FullApp
Noone can access me!!
[~/data/dev/applettest/src]java -cp . -verify FullApp

Exception in thread "main" java.lang.IllegalAccessError: tried toaccess field MyData.secret from class FullApp at FullApp.main(FullApp.java:23)

Using the same code with an Applet loaded from the filesystem throwsan IllegalAccessError exception as it should.



--
Stephen de Vries
Corsaire Ltd
E-mail: stephen@xxxxxxxxxxxx
Tel:    +44 1483 226014
Fax:    +44 1483 226068
Web:    http://www.corsaire.com





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- [Full-disclosure] Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code
  - From: Dinis Cruz

References:
- [Full-disclosure] RE: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code
  - From: Jeff Williams